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DETAILED ACTION 

1 . Claims 1-24 are pending in tliis office action. 

2. Applicant's arguments, filed August 19, 2008, have been fully considered but 
they are not persuasive. 

Claim Rejections 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found In a prior office action. 

Claim Rejections - 35 USC § 102 

4. Claims 1-4, 20, 21 , 23, and 24 are rejected under 35 U.S.C. 102(a/e) as being 
anticipated by Lineman et al. (U.S. Patent Pub. No. 2003/0065942). 

Regarding claim 1 . Lineman et al. teaches a method/computer system 
comprising: 

• Describing a plurality of password policies in a computer usable password policy 
data structure (fig. 6A and 6B): 

• Accessing said computer usable password policy data structure by a password 
policy enforcement agent (paragraph 0083); and 
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• Enforcing at least one of said plurality of password policies described within said 
password policy data structure by said password policy enforcement agent 
(paragraph 0095). 

Regarding claim 20 , Lineman et al. teaches instructions on a computer usable 
medium wherein the instructions when executed cause a computer system to perform a 
method of establishing a consistent password policy, said method comprising: 

• Describing a plurality of password policies in a computer usable password policy 
data structure (fig. 6 A and 6 B); 

• Providing an access point with access to said computer usable password policy 
data structure (paragraph 0083); and 

• Receiving feedback from a password policy enforcement agent associated with 
said access point about which of said plurality of password policies have been 
successfully enforced (paragraph 0095 and fig. 2, ref. num 84). 

Regarding claim 23 . Lineman et al. teaches a method/computer system 
comprising: 

• Computer usable media comprising computer usable instructions that when 
executed on a processor of said first server computer implement a method of 
establishing a consistent password policy, said method comprising (fig. 6A and 
6B): 
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• Accessing a computer usable password policy data structure by a password 
policy enforcement agent (paragraph 0083); and 

• Enforcing a password policy described within said password policy data structure 
by said password policy enforcement agent (paragraph 0095). 

Regarding claims 2 and 21 . Lineman et al. teaches wherein said computer 
usable password policy data structure comprises a file structure compatible with 
extensible markup language (fig. 6A and 6B). 

Regarding claim 3 . Lineman et al. teaches wherein said password policy 
enforcement agent is operable on a client computer of a client-server computer system 
(paragraph 0030 and fig. 1, ref. num 28). 

Regarding claims 4 and 24 , Lineman et al. teaches wherein said method is 
operable on a utility data center (fig. 1). 

Regarding claim 5 . Lineman et al. teaches further comprising validating said 
computer usable password policy data structure for authenticity by said password policy 
enforcement agent (paragraph 0091). 



Claim Rejections - 35 USC § 103 
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5. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Lineman 
etal. (U.S. Patent Pub. No. 2003/0065942) in view of Cole et al. (U.S. Patent Pub. No. 
2002/0161707). 

Regarding claim 19 . Lineman et al. teaches all the limitations of claim 1 , above. 
However, Lineman et al. does not teach further comprising providing, by said password 
policy enforcement agent, feedback to a configuration and aggregation point, about 
which of said plurality of password policies have been successfully enforced. 

Cole et al. teaches further comprising providing, by said password policy 
enforcement agent, feedback to a configuration and aggregation point, about which of 
said plurality of password policies have been successfully enforced (paragraph 0083). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine providing feedback for successful enforcement, as 
taught by Cole et al. . with the method of Lineman et al. It would have been obvious for 
such modifications because feedback informs the user/administrator that the policy 
being enforced is working. 

Claims 5-18 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lineman et al. (U.S. Patent Pub. No. 2003/0065942) in view of Password Pol lev of 
eRA (referred to as Password Policy hereinafter). 
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Regarding claims 5-18 and 22 . Lineman et al. teaches all the limitations of claims 
1 and 20, above. However, Lineman et al. does not teach specific policy types. 

Password Policy teaches comprising a computer access password policy 
parameter selected from the set of computer access password policy parameters 
comprising: a threshold parameter for unsuccessful access attempts that when 
exceeded disables a computer system access account; a parameter indicating the a 
time duration within which said threshold parameter number of unsuccessful access 
attempts triggers locking of a computer system access account; an initial delay 
parameter to block access to a computer system access account for a period of time 
after an unsuccessful access attempt; a minimum password length parameter; a 
maximum password length parameter; a parameter to prohibit passwords consisting of 
a natural language word; a parameter to prohibit passwords consisting of a palindrome; 
a parameter to prohibit passwords consisting of a derivative of a computer system 
account name; a parameter to automatically generate a password; a parameter to 
automatically generate a pronounceable password consistent with all of said plurality of 
password policies; and a parameter to specify a set of characters utilizable to 
automatically generate a password (page 2-4, section 5.0 through 5.5). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine a plurality of different password policies, as taught by 
Password Policv . with the method/computer system of Lineman et al. It would have 
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been obvious for such modifications because the policies taught by Password Policy 
reduce the risk of unauthorized access to servers and databases (see page 1 , section 
1 .0 of Password Policy). 

Response to Arguments 

6. 

a. Applicant's argue the combination of references do not teach enforcing at 
least one of said plurality of password policies by said password policy 
enforcement agent (see page 10 of applicant's arguments). 

b. The remaining sets of claims have been argued based on the same 
arguments by applicant (see page 1 1-12 of applicant's arguments). 

Regarding argument (a), examiner disagrees. Figure 1 of Lineman et al. clearly 
shows a security server (30) that contains a program (32), which controls computer 
systems (26). The program (32) on the security server (30) acts as the password policy 
enforcement agent as claimed. Figure 2 and the accompanying description better 
describe the process of program (32) running on security server (30), specifically 
paragraph 0038. 

The security administrator then uses the security management program 32 to verify a degree of 
compliance with the security policies demonstrated by the computer systems 26 (block 92). The security 
management program 32 enables the administrator to set or audit the parameters on the computer systems 26 
(block 94). The administrator may run a checkup report to measure or change the parameters on the computer 
systems 26 (block 96). Additionally, the administrator may set the parameters on the computer systems 26 in 
response to the measurement to make the systems compliant with the policy. Additionally, detect rules may be 
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configured when creating the security policy document and may be communicated to the computer systems 26, 
instructing the agent software 28 on the computer systems 26 to notify the security management program 32 of 
any future changes in configuration of the security parameters on the systems (block 98). 

Paragraph 0083 provides additional support to show the security server (30) and 
its program (32) are in control of enforcing policy matters. 

In combination with or independent from publishing the security policy document to the users 54, the 
disclosed software publishes the security policy document to the security server 30 having the security 
management program 32. As previously noted, the security management program 32 is used to set and audit 
the security policies of the document on the various computer systems 26 of the platforms 20, 22, 24. 
Additionally, the security management program 32 is used to review detect rules, which are automatically 
created to {-nforee the policy of the platforms 20, 22, 24. In publishing the security fiolk^ document to the 
security management program 32, the jsoijc;^ management program 42 extracts the technical and platform 
controls from the XML, file representing the security polit:v in the machine-readable form. The technical and 
platform controls populate the databases, files, and routines associated with the security management program 
32. Using the technical and platform controls, the security administrator may verify compliance of the computer 
systems 26 and set/audit the systems from within the security management program 32. 

Regarding argument (b), examiner disagrees. The remaining claims are rejected 
in view of the same reasons as set forth above. 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
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extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRANDON S. HOFFMAN whose telephone number is 
(571)272-3863. The examiner can normally be reached on M-F 8:30 - 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Brandon S Hoffman/ 

Primary Examiner, Art Unit 2436 



